I am a sys admin of our system, we are running zimbra as email server in our environment. I got the following message from the CEO.

"Everytime I send or receive an email - I get a SPAM ads a few minutes later related to the keyword. There is something planted in our email system that is 'listening' and causing that to occur."

I am figuring out if this is true. I have checked, no extra port listening on the server. My question is, are there any known Zimbra/Email server trojans which would do something like this? I dont think this is the case but I need some suggestion about the issue if someone face the same situation.

3 Answers
3

In case of infection you need to scan the system for certain clues, such as .lnk or related malicious entries that have infected zimbra in the past. A quick manual check would be to match sha1/md5 sum of those files (on the desktop) with the checksums on the net (zimbra forums).

It will be worth capturing some traffic and analysing by using a test email to a lab computer that you can use for experimental reasons. This would help you identify if it's to do with system or email service.

Most of the intelligent infections don't need extra ports as they utilise generic most trusted ports such as 80, 443, 25 used for web/email services.

Assuming your CEO is using a Windows based computer, I would start with an inspection of his or her machine. Although Anti-Virus isn't a perfect defense against Malware, it is a good seat-belt. You will want to ensure that Anti-Virus is installed, running, and up-to-date with the latest definitions. Do a full scan and see if that yields any results. If so, analyze the results using Google (i.e., Google the name of the Malware found on his or her machine) and see if the Malware is a contributing factor to the behavior you are seeing.

If you are comfortable with a packet sniffer, like WireShark, perhaps you could monitor traffic originating from the CEO's machine to see if you detect any command & control traffic or any other suspicious activity before, during and after he or she sends an email. Assuming your CEO is using a Windows based computer, there are several steps you could take to detect and analyze Malware on a live system by reading the first few chapters of the Practical Malware Analysis book.

If you are not comfortable with any of the above solutions, you could try a process of elimination test, where you give the CEO another computer and have him or her send emails from there. If the problem persists, you can at least rule out Malware on his or her computer.

A second place to look would be your mail server. Similar to detecting and analyzing Malware on a Windows computer, there are a few steps you could take on a Linux based machine by reading a few chapters of the Malware Forensics book. I hope this helps, if you like I maybe we can connect on IM and I can give you more information.

I'd scan the CEO's machine first and then tell him to stop going to porn sites on his work computer. Joking aside, I would want to check his computer for the problem first. Executives in particular seem to have a tendency to go to sites they shouldn't in a work environment and have a tendency to pick things up along the way since they aren't generally as worried about being fired for goofing off on the clock.